1. Technical Field
This disclosure relates generally to user authentication across services operating in a network environment.
2. Background of the Related Art
The problem of mapping identity across web services, especially social networks, can be very difficult. Several options are available to enable re-use of identity across domains. These include protocols such as OpenID, SAML and other proprietary login systems provided by web services. OpenID, for example, is an open standard that allows users to be authenticated by certain co-operating sites (known as relying parties using a third party service, which eliminates the need for webmasters to provide their own ad hoc systems. With OpenID, users create accounts with their preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication. Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML implements the concepts of Identity Providers (source of assertions), and Service Providers (consumers of assertions). The Service Provider (SP) trusts the Identity Provider (IdP) to authenticate the principal. SAML assumes the principal (often a user) has enrolled with at least one identity provider. This identity provider is expected to provide local authentication services to the principal. At the principal's request, the identity provider passes a SAML assertion to the service provider. On the basis of this assertion, the service provider makes an access control decision. To facilitate SAML, a trusted partnership may be set up that comprises IdPs and SPs exchanging metadata about each other's SAML implementation, including keys to encrypt/decrypt the SAML assertions.
While these protocols have advantages, they each depend on the existence of a central identity provider. Often, however, there are situations where a centralized identity provider is insufficient, for example, if a user does not have an identity with that provider, or if the user does not trust a web service with his or her centralized identity. In these cases, protocols for “delegated authorization” are a better choice to the problem of mapping identity across web services.
One such delegated authorization protocol is OAuth, by which users can authorize creation of temporary access tokens to link their accounts between web services without the need for a centralized identity. OAuth is an open protocol that enables users to share their private data between different Web sites along with their credentials but, at the same time, only expose the data on the original Web site where it is held. In other words, the OAuth protocol allows users to share private resources stored on one Web site with other sites without exposing the users' credentials—for example, usernames and passwords—to Web sites other than the one holding the users' data.
While OAuth also provides advantages, it does not explicitly map identity between domains, and it does not enable persisting of long-term relationships across services.